bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] GnuTLS certificate loading

From: Ángel González
Subject: Re: [Bug-wget] GnuTLS certificate loading
Date: Sat, 03 Aug 2013 00:14:38 +0200
User-agent: Thunderbird 
On 02/08/13 16:11, Tim Ruehsen wrote:

Hi,

I realized that gnutls.c loads every file it can find in the given
ca_directory (default: /etc/ssl/certs).

For me (on Debian SID) it means, every certificate is loaded 4 times !

Example Visa certificate:
~/src/wget/src$ l /etc/ssl/certs|grep Visa
lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 6fcc125d.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 a760e1bd.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root     58 27-10-11 09:39:52 Visa_eCommerce_Root.pem ->
/usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
I wonder why you have two different hashes for the same file. Maybe one of them 
comes from an old Visa_eCommerce_Root.crt ?
Those hashes are normally created by c_rehash(1)



That is 3 times plus loading of ca-certificates.crt kept in /etc/ssl/certs/,
which seems to contain all certificates from /etc/ssl/certs.
Almost. It contains all certificates activated in /etc/ca-certificates.conf (all, by 
default). See update-ca-certificates(8)


It would be easy to fix that, if backwards compatibility wasn't an issue:
1. If we just load *.pem files, we would miss *.crt files
2. If we just load *.crt files, we would miss *.pem files
3. If we load both *.pem and *.crt files, we also load aggregations like ca-
certificates.crt (loading certs twice).
We are obtaining the final inode in the stat(). We should keep a list of loaded 
inodes to avoid loading the same file several times.
Although that wouldn't fix the duplication with aggregations.



My favorite would be to use
        gnutls_certificate_set_x509_system_trust()
for the default case (opt.ca_certificate == NULL) instead of the hard-coded
/etc/ssl/certs/. This function loads all certs from the 'system' certs
directory just once.

Looks good.


For a user-provided cert directory, we should keep the current behavior of
loading every file in the directory. Anything else may break Wget
compatibility.

I already have made the changes, but would like to see comments and/or
opinions.

Regards, Tim
reply via email to
[Prev in Thread] Current Thread [Next in Thread]